Arbitrary JavaScript execution in PDF.js (MINDBREEZE31126)

ID: MINDBREEZE31126 
Affected Components: Mindbreeze InSpire, Mindbreeze InSpire SaaS 
Severity: 7.5 High 
Status: Final 
First published: May 24, 2024 
CVEs: CVE-2024-4367 

Summary

A type check was missing when handling fonts in PDF.js, which would allow arbitrary JavaScript execution in the PDF.js context.

Hotfix Information

Fixed with following versions of Mindbreeze InSpire On-Premises or Mindbreeze InSpire SaaS: 

• Mindbreeze InSpire 24.3 Hotfix 1 Release 
• Mindbreeze InSpire SaaS 24.3 Hotfix 1 Release